Method and system for providing high availability to distributed computer applications

ABSTRACT

Method, system, apparatus and/or computer program for achieving transparent integration of high-availability services for distributed application programs. Loss-less migration of sub-programs from their respective primary nodes to backup nodes is performed transparently to a client which is connected to the primary node. Migration is performed by high-availability services which are configured for injecting registration codes, registering distributed applications, detecting execution failures, executing from backup nodes in response to failure, and other services. High-availability application services can be utilized by distributed applications having any desired number of sub-programs without the need of modifying or recompiling the application program and without the need of a custom loader. In one example embodiment, a transport driver is responsible for receiving messages, halting and flushing of messages, and for issuing messages directing sub-programs to continue after checkpointing.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims priority from U.S.patent application Ser. No. 13/865,827, filed Apr. 18, 2013, now U.S.Pat. No. 8,839,034 issued on Sep. 16, 2014, which is a divisional ofU.S. patent application Ser. No. 13/333,456, filed Dec. 21, 2011, nowU.S. Pat. No. 8,433,951 which issued on Apr. 30, 2013, which is acontinuation of and claims priority from U.S. patent application Ser.No. 12/693,960 filed on Jan. 26, 2010, now U.S. Pat. No. 8,108,722issued on Jan. 31, 2012, which is a continuation of and claims priorityto U.S. patent application Ser. No. 11/741,535 filed on Apr. 27, 2007,now U.S. Pat. No. 7,681,075 issued on Mar. 16, 2010, which claims thebenefit of U.S. Provisional Application No. 60/797,219 filed on May 2,2006; these applications incorporated herein by reference in theirentirety.

NOTICE OF MATERIAL SUBJECT TO COPYRIGHT PROTECTION

A portion of the material in this patent document is subject tocopyright protection under the copyright laws of the United States andof other countries. The owner of the copyright rights has no objectionto the facsimile reproduction by anyone of the patent document or thepatent disclosure, as it appears in the United States Patent andTrademark Office publicly available file or records, but otherwisereserves all copyright rights whatsoever. The copyright owner does nothereby waive any of its rights to have this patent document maintainedin secrecy, including without limitation its rights pursuant to 37C.F.R. §1.14.

BACKGROUND

1. Field of the Invention

This invention pertains generally to enterprise computer systems,computer networks, embedded computer systems, and computer systems, andmore particularly with methods, systems and procedures (i.e.,programming) for providing high availability services and automaticfault detection and recovery for computer applications distributedacross multiple computers.

2. Description of Related Art

Enterprise systems operating today are subject to continuous programexecution, that is 24 hours a day and 7 days a week. There is no longerthe concept of “overnight” or “planned downtime”. All programs and datamust be available at any point during the day and night. Any outages ordeteriorated service can result in loss of revenue as customers simplytake their business elsewhere, and the enterprise stops to function on aglobal scale. Traditionally, achieving extremely high degrees ofavailability has been accomplished with customized applications runningon custom hardware, all of which is expensive and proprietary.Furthermore, application services being utilized today are no longer runas single processes on a single server, yet are built instead from acollection of individual programs running on different servers.Traditionally, no mechanisms have existed for protecting these fullydistributed applications. This problem is compounded by the fact thatthe individual applications comprising the service are typicallyprovided by different vendors.

Two publications provide a background for understanding aspects of thecurrent invention. A first publication is U.S. patent application Ser.No. 11/213,678 filed on Aug. 26, 2005, and published as US 2006-0090097A1 on Apr. 27, 2006, incorporated herein by reference in its entirety,which describes providing transparent and automatic high availabilityfor applications where all the application processes are executed on onenode. A second publication is U.S. patent application Ser. No.11/213,630 filed on Aug. 26, 2005, and published as US 2006-0085679 A1on Apr. 20, 2006, incorporated herein by reference in its entirety,which describes technology to support stateful recovery of multi-processapplications wherein the processes are running on the same node.However, the above-referenced publications do not fully addressdistributed applications where an application runs across multiple nodesat the same time, and where fault detection and recovery need to involvemultiple independent nodes.

Therefore, a need exists for a method and system for achieving highavailability and reliability for distributed applications, in a mannerthat is automatic, transparent to the client, and which does not requirecustom coding, custom applications, or specialized hardware.

BRIEF SUMMARY

A method, system, apparatus and/or computer program are described forachieving transparent high availability and loss-less migration ofdistributed application programs. The system provides transparentmigration and fail-over of distributed applications while ensuring thatconnected clients remain unaware of the migration. The client'sconnection and session are transparently transferred from the primary tothe backup server without any client involvement.

In at least one embodiment, a high-availability services program isconfigured for automatically performing a number of applicationservices, including: injecting registration code into sub-programsduring launch, registering the distributed application, detectingexecution failures, and executing from backup nodes in response tosub-program failure, application failure or node failure. The servicescan be integrated transparently into the system in that they areimplemented on the system without the need of modifying or recompilingthe application program and without the need of a custom loader.

The term “high-availability services” is utilized herein to designate aset of system-level services which protect distributed applications toassure that execution of these applications is provided with highavailability. High availability can be generally considered acharacteristic of a distributed application when a level of faulttolerance is provided to reduce or eliminate the possibility of losingaccess to the application as a consequence of sub-program or nodefailures. The high availability services run (execute) on each node(computer) of a network, grid, or other distributed communicationsconfiguration and protect all the distributed components of thedistributed application.

The term “node” is utilized herein to designate one or more processorsrunning a single instance of an operating system. A virtual machine,such as VMWare or XEN, is also considered a “node”.

The term “grid” is utilized herein to designate a collection of nodesable to communicate via a network, custom backplane, or system busses.

The term “distributed application”, “grid application” and “application”are utilized herein interchangeably. Each of these terms is meant toconvey an application comprised of one or more sub-programs running onone or more nodes (i.e., computers), and in which all of thesub-programs jointly provide a service, such as for example running alarge seismic computation.

The term “program” and “sub-program” is utilized to designate anindividual application or a component of a larger distributedapplication. In practical terms, it is an executable that can run andproduce a result on an individual node. Sub-programs can consist of oneor more processes, all of which can be single or multi-threaded.

The term “coordinator” is utilized for designating a special controlprocess running as an element of the invention. The coordinator isgenerally responsible for sending out coordination events and tocoordinate activities across all sub-programs in a distributedapplication. For the sake of simplicity the coordinator is described asrunning on its own node, however, this is not a requirement as thecoordinator can run on any desired node.

The term “transport” is utilized to designate the connection, mechanismand/or protocols used for communicating across the distributedapplication. Examples of transport include TCP/IP, Message PassingInterface (MPI), Myrinet, FiberChannel, ATM, shared memory, DMA, RDMA,system busses, and custom backplanes. In the following, the term“transport driver” is utilized to designate the implementation of thetransport. By way of example, the transport driver for TCP/IP would bethe local TCP/IP stack running on the host.

The term “Transport Communication Layer (TCL)” shall be used todesignate the interface between the application and the transport asprovided by the invention. The TCL is generally viewed as a componentwithin the invention, but can also be directly provided by the transportor the application. By way of example, the TCL for TCP/IP may comprise alayer insulating the application from the local implementation of TCP/IPand providing services to be described below.

The term “channel” or “message channel” is utilized to designate thespecific communication mechanism used by the implementation of thetransport to communicate and move data, for example between thesub-programs and the transport itself. Generally “channels” areimplemented using TCP/IP, sockets, pipes, FIFO, system busses, sharedmemory, backplanes or other proprietary messaging mechanism.

In the following descriptions, the product name “Duration” is utilizedin referring to a system as described in the first and second referencescited previously. It should be appreciated, however, that the teachingsherein are applicable to other similarly configured systems.

The present invention comprises a set of system-level high-availabilityservices for distributed applications. The high availability servicesrun on each node (computer) on the grid and protect all the distributedcomponents of the distributed application. One embodiment of theinvention generally functions as an extension of the operating systemexecuting on all grid nodes. A coordination mechanism is utilized toensure that the execution of applications on the grid nodes arecoordinated at certain points in time.

By way of example, and not of limitation, the present inventionimplements high availability for stateless applications (e.g.,sendmail), stateful applications (e.g., Voice over IP (VOIP)),multi-tier enterprise applications (e.g., Apache, WebLogic and OracleDatabase combined), and large distributed applications, for examplethose found in High Performance Computing (HPC), such as seismicexploration and financial modeling.

According to one aspect of the invention, the distributed applicationruns across a grid (i.e., of computer nodes), with sub-programs on oneor more nodes. Each sub-program is protected individually and has one ormore backup nodes ready to take over (execute the sub-program in theplace of the original) in the event of a fault. The protection of thedistributed program is thus coordinated across the grid and guaranteedto be consistent across the grid to assure high availability.

A distributed application can be configured according to the inventionwith any number of sub-programs running on any number of nodes. Eachsub-program runs on a primary node while a backup node for theapplication stands ready to take over in the event of a fault andsubsequent recovery. The primary and backup can be different nodes orthe primary and backup can be the same node, in which case the faultrecovery is local.

The invention provides layered high availability services fordistributed applications, with high availability offered both across thegrid and at the individual sub-program level. High availability,including fault detection and recovery, for the individual sub-programsis provided by Duration's existing stateful High Availability Services.The invention layers a distributed fault detection and recoverymechanism on top of the local fault detection and ensures that faultdetection and recovery is consistent across the entire grid.

According to one aspect of the invention, a coordinator provides generalcoordination and synchronization for the individual sub-programs of thedistributed applications. By way of example, and not limitation, thecoordinator is shown running on a separate node from the sub-programs tosimplify the following teachings. It should be appreciated, however,that this is not a requirement as the coordinator can run on any node inthe system.

By way of example, and not of limitation, the invention implementsstateless or stateful recovery of a distributed application byrecovering each sub-program and ensuring all sub-programs are recoveredin a consistent state. The recovery is automatic without any applicationor sub-program involvement.

According to an aspect of the invention, there is a clean separation ofthe application logic from the high-availability program code. Thisallows application programmers to focus on writing their applicationcode, rather than on writing high availability code. An administratorcan make applications highly available by simply configuring the desiredsettings, such as by using a graphical configuration tool implementedaccording to the invention. The result is that high availabilityapplications are developed easily and deployed quickly without thenecessity of custom coding.

According to another aspect of the invention, protection is providedagainst node faults, network faults and process faults. The presentinvention provides user-controlled system management, automaticavailability management, and publish/subscribe event management,including notification of faults and alarms.

In various embodiments of the invention, features are provided that areuseful for distributed applications that must be highly available,including but not limited to the following:

(a) Stateful high availability for distributed applications includinghigh performance computing, financial modeling, enterprise applications,web servers,

(b) Configurable protection levels.

(c) Coordinated Restart and stateful restore for distributedapplications.

(d) Coordinated and transparent checkpointing of distributedapplications.

(e) Coordinated full and incremental checkpointing for distributedapplications.

(f) Checkpoints stored on local disks, shared disks, or memories.

(g) Automatic and transparent fault detection for distributedapplications.

(h) Node fault detection.

(i) Process fault detection.

(j) Distributed application deadlock and hang protection throughexternal health checks.

(k) Coordinated automatic and transparent recovery of distributedapplications.

(l) Auto-startup of distributed applications.

(m) Script support of starting, stopping, or restarting.

(n) Dynamic policy updates.

(o) User-controllable migration of distributed applications.

The invention can be practiced according to various aspects andembodiments, including, but not limited to, those described in thefollowing aspects and embodiments which are described using phraseologywhich is generally similar to the claim language.

According to an aspect of the invention a method for achievingtransparent integration of a distributed application program with ahigh-availability protection program comprises: (a) injectingregistration code, transparently and automatically, into allsub-programs during launch, without the need of modifying or recompilingthe application program and without the need of a custom loader; (b)registering the distributed application automatically with thehigh-availability protection program; (c) detecting a failure in theexecution of the distributed application program; and (d) executing thedistributed application program with one or more sub-programs beingexecuted from their respective backup servers automatically in responseto the failure. The high-availability protection program is preferablyconfigured as an extension of the operating system wherein recovery ofapplication programs can be performed without modifying programmingwithin said application programs. The high-availability protection canbe configured for protecting against node faults, network faults, andprocess faults.

According to another aspect of the invention, a method, system,improvement or computer program for performing loss-less migration of adistributed application, including loss-less migration of allsub-programs from a their respective primary nodes to their backup nodesand while being transparent to a client connected to the primary nodeover a TCP/IP, MPI, system bus or other transport. The transport, i.e.TCP/IP, MPI, or system bus will be flushed and halted duringcheckpointing.

According to another aspect of the invention, a method, system,improvement or computer program performs loss-less migration of adistributed application, comprising: (a) migrating one or moresub-programs within an application, without loss, from their respectiveprimary nodes to at least one backup node; (b) maintaining transparencyto a client connected to the primary node over a transport connection;(c) flushing and halting the transport connection during the taking ofcheckpoints; and (d) restoring the one or more sub-programs from thecheckpoints in response to initiating recovery of the application. Theexecution transparency to the client is maintained by ahigh-availability protection program configured to automaticallycoordinate transparent recovery of distributed applications.Transparency is maintained by a high-availability protection program tosaid one or more sub-programs running on a primary node while at leastone backup node stands ready in the event of a fault and subsequentrecovery.

According to another aspect of the invention, a method, system,improvement or computer program performs fault protection forapplications distributed across multiple computer nodes, comprising: (a)providing high-availability application services for transparentlyloading applications, registering applications for protection, detectingfaults in applications, and initiating recovery of applications; (b)taking checkpoints of one or more subprograms within applicationsexecuting across multiple computer nodes; (c) restoring the one or moresub-programs from the checkpoints in response to initiating recovery ofone or more the applications; (c) wherein said high-availabilityapplication services are provided to the one or more sub-programsrunning on a primary node, while at least one backup node stands readyin the event of a fault and subsequent recovery; and (d) coordinatingexecution of individual subprograms within a coordinator program whichis executed on a node accessible to the multiple computer nodes.

According to another aspect of the invention, a method, system,improvement or computer program performs loss-less migration of adistributed application program, comprising: (a) a high-availabilityservices module configured for execution in conjunction with anoperating system upon which at least one application can be executed onone or more computer nodes of a distributed system; and (b) programmingwithin the high-availability services module executable on the computernodes for loss-less migration of sub-programs within the at least oneapplication for, (b)(i) checkpointing of all state in the transportconnection, (b)(ii) coordinating checkpointing of the state of thetransport connection across the distributed system, (b)(iii) restoringall states in the transport connection to the state they were in at thelast checkpoint, (b)(iv) coordinating recovery within a restoreprocedure that is coupled to the transport connection.

According to another aspect of the invention, a system of multiplecomputer nodes over which distributed applications are protected againstfaults, comprising: (a) a plurality of computer nodes upon whichapplications can be executed; (b) an operating system configured forexecution on each computer node and upon which applications areexecuted; (c) a high-availability services module configured forprotecting applications from faults, and for executing in combinationwith the operating system; and (d) programming within thehigh-availability services module configured for execution on eachcomputer node for, (d)(i) providing transparent application functionsfor loading applications, (d)(ii) registering applications forprotection, (d)(iii) detecting faults in applications, and (d)(iv)initiating recovery of applications; (e) checkpointing of one or moresub-programs to create checkpoints for the application executing on atleast one computer node; (f) restoring one or more sub-programs from thecheckpoints when initiating recovery of the application; (g) executingone or more sub-programs on a primary node while at least one backupnode stands ready for executing the sub-programs in the event of a faultand subsequent recovery; and (h) coordinating execution of individualsubprograms within a coordinator program which runs on a node accessibleto the plurality of computer nodes.

According to another aspect of the invention, a computer executableprogram for loss-less migration of a distributed application program,including loss-less migration of all sub-programs, comprising: (a)checkpointing of all state in the transport; (b) a checkpointingprocedure that coordinates checkpointing of transport state across thegrid; (c) a restore procedure that restores all state in the transportto the state they were in at the last checkpoint; (d) a restoreprocedure that hooks into the transport to coordinate the recovery.

According to another aspect of the invention, there is described amethod, system, improvement and/or computer program for maintaining alltransport connection across a fault. Transport connections will beautomatically restored using Duration's virtual IP addressingmechanisms.

Another aspect of the invention is a method, system, improvement and/orcomputer program that provides a mechanism to ensure that thedistributed applications sub-programs are launched in the proper orderand with the proper timing constraints during recovery. In oneembodiment, a mechanism is also provided to ensure that applicationprograms are recovered in the proper order.

Another aspect of the invention is a method, system, computer program,computer executable program, or improvement wherein user controllablelaunch of sub-programs for the distributed application is provided.

Another aspect of the invention is a method, system, computer program,computer executable program, or improvement wherein user controllablestop of sub-programs and distributed applications is provided.

Further aspects of the invention will be brought out in the followingportions of the specification, wherein the detailed description is forthe purpose of fully disclosing preferred embodiments of the inventionwithout placing limitations thereon.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING(S)

The invention will be more fully understood by reference to thefollowing drawings which are for illustrative purposes only:

FIG. 1 is a block diagram of a distributed application with multiplesub-programs and a coordinator, according to an embodiment of thepresent invention.

FIG. 2 is a block diagram of a distributed application with multiplesub-programs according to an aspect of the present invention, andshowing backup locations for each sub-programs.

FIG. 3 is a block diagram of components comprising the HA infrastructureaccording to an aspect of the present invention.

FIG. 4 is a block diagram of the process of taking a consistentdistributed checkpoint according to an aspect of the present invention.

FIG. 5 is a block diagram of application fault detection and restorationfrom a distributed checkpoint according to an aspect of the presentinvention.

FIG. 6 is a block diagram of fault detection and restoration from adistributed checkpoint according to an aspect of the present invention.

FIG. 7 is a block diagram of flushing transport buffers andcheckpointing of the transport state according to an aspect of thepresent invention.

FIG. 8 is a block diagram of an alternate approach to flushing thetransport buffers and checkpointing of the transport state according toan aspect of the present invention.

DETAILED DESCRIPTION

Referring more specifically to the drawings, for illustrative purposesthe present invention will be described in relation to FIG. 1 throughFIG. 8. It will be appreciated that the system and apparatus of theinvention may vary as to configuration and as to details of theconstituent components, and that the method may vary as to the specificsteps and sequence, without departing from the basic concepts asdisclosed herein.

1. INTRODUCTION

The context in which this invention is described is a distributedapplication program consisting of any number of sub-programs. Eachsub-program runs on a primary node and can be supported by one or moredesignated backup nodes. Without affecting the general case of multiplebackups, the following describes scenarios where each sub-program hasone primary node and one backup node. Multiple backups are handled in asimilar manner as a single backup.

The mechanisms for transparently loading applications, transparentlyregistering applications for protection, transparently detecting faults,and transparently initiating recovery are described in the firstreference above which was incorporated by reference.

The mechanisms for taking checkpoints of multi-process, multi-threadedprocesses and restoring from those checkpoints are described in thesecond reference above which was incorporated by reference.

FIG. 1 illustrates, by way of example embodiment 10, a distributedapplication 12 consisting of multiple sub-programs which are exemplifiedas sub-programs 14 a, 14 b and 14 c. By way of example, each sub-programis shown running on a different node 16 a, 16 b and 16 c. Each node runsa copy of the operating system (OS) 18 a, 18 b and 18 c, and each noderuns an instance of what is referred to herein, by way of example andnot limitation, as “High-Availability Services” (HA Services) 20 a, 20 band 20 c, according to the present invention. Every node is connectedusing a transport connection 22, or simply called transport, such asTCP/IP, shared memory, or MPI. A coordinator program 24 runs on acoordinator node 26 which is also shown with OS 18 x and HA services 20x.

FIG. 2 illustrates by way of example a failover scenario for themultiple sub-programs from FIG. 1, wherein for the sake of simplicity ofillustration a single backup is shown for each of the primary nodes 16a, 16 b and 16 c. Sub-program A 14 a which is running on node 0 16 a hasnode 3 32 a as its designated failover location with sub-program 30 a.Sub-program B 14 b which is running on node 1 16 b has node 4 32 b asits designated failover location with sub-program 30 b. Sub-program C 14c which is running on node 2 16 c has node 5 32 c as its designatedfailover location with sub-program 30 c. Accordingly, each sub-programhas one or more designated backup locations. It should be appreciatedthat the backup locations can be the same as the primary location, sothat all restoration after faults will be on the same node.

FIG. 3 illustrates by way of example embodiment 50 a node having variousprogram modules including HA services 52, transport driver 54, andoperating system 56. By way of example, and not limitation, the HAservices include checkpointing services 58, transparency services 60,fault detection and recovery services 62, migration services 64, policymanagement 66, other HA services 68, and transport communication layer(TCL) 70. The transport driver 54 provides the local transportimplementation. Less preferably, HA services may comprise a subset, orsuperset, of the above functionality without departing from theteachings of the present invention.

TCL 70 is responsible for interfacing 72 with local transport driver 54and generally executes as a service in combination with other servicesprovided by HA services 58-68. In the following disclosures TCL can beconsidered as a component within HA services 52 without explicitlyshowing TCL on the diagrams.

2. TAKING A DISTRIBUTED APPLICATION CHECKPOINT

FIG. 4 illustrates by way of example embodiment 90, the manner in whichdistributed checkpoints are taken across the grid. Checkpointing ofsingle node multi-process multi-threaded applications is described inthe second reference given above. By way of example, and not limitation,the distributed application consists of a distributed application 92with multiple subprograms, exemplified as sub-program A 94 a,sub-program B 94 b, and sub-program C 94 c within nodes 96 a, 96 b and96 c. Also within each node is depicted an OS layer 98 a, 98 b and 98 c,HA services 100 a, 100 b and 100 c, as well as TCL 102 a, 102 b and 102c, and a transport driver 104 a, 104 b and 104 c. A transport connection106 is shown, such as TCP/IP, shared memory, MPI, or similarcommunication means. Coordinator 108 is shown running on a coordinatornode 110, and is also shown with OS 98 x and HA services 100 x.

Sub-program A 94 a communicates with its transport driver 104 a viachannel 112 a, sub-program B 94 b communicates with transport driver 104b via channel 112 b, while sub-program C 94 c communicates withtransport driver 104 c via channel 112 c.

By way of example and not limitation, the checkpointing process isinitiated from the coordinator 108 within coordinator node 110. When thecheckpointing process is triggered, coordinator 108 sends a message 114a to TCL 102 a within HA services 100 a of node 0 96 a, message 114 b toTCL 102 b within HA services 100 b of node 1 96 b, and a message 114 cto the TCL within HA services 100 c for node 2 96 c.

The TCL 102 a on node 0 stops processing traffic and sends a message 116a to transport driver 104 a on node 0 96 a, to stop processing and flushall buffers. Similarly, TCL 102 b on node 1 96 b stops processingtraffic and sends a message 116 b to transport driver 104 b on node 1 tostop processing and flush all buffers, while TCL 102 c on node 2 96 cstops processing traffic and sends a message 114 c to transport driver104 c on node 2 96 c to stop processing and flush all buffers.

When transport driver 104 a has been completely stopped and flushed, thetransport drivers sends a message 118 a to HA services 100 a tocheckpoint sub-program A 94 a. When transport driver 104 b has beencompletely stopped and flushed, it sends a message 118 b to HA services100 b to checkpoint sub-program B 94 b. When transport driver 104 c hasbeen completely stopped and flushed, it sends a message 118 c to HAservices 100 c to checkpoint subprogram C 94 c.

By way of example, and not limitation, the messaging provided by 116 a,116 b, 116 c, 118 a, 118 b and 118 c can be provided by any desiredcommunication structures including: pipes, FIFOs, library call-backs,shared memory, IPC messages, TCP messages, or the like. The HA servicesrunning on each node checkpoint sub-program A 96 a, sub-program B 96 b,and subprogram C 96 c. It should be appreciated that since the transportis stopped and not processing any messages, it is guaranteed that therelative states of sub-programs A, B and C are fixed.

To create the checkpoint for the entire distributed application, firstthe checkpoint of subprogram A 94 a is combined with the checkpoint ofthe local TCL 102 a and transport driver 104 a on node 0 96 a. This sameprocedure applies for sub-program B 94 b, local TCL 102 b and transportdriver 104 b on node 1 96 b, and sub-program C 94 c, local TCL 102 c andtransport driver 104 c on node 2 96 c. Finally, all combined sub-programcheckpoints and local transport checkpoints are assembled into onecheckpoint for the entire distributed application. Halting andcheckpointing of the transport is described in further detail below.

When checkpointing of sub-program A 94 a has completed, TCL 102 a sendsa message 114 a to the coordinator 108, that checkpointing ofsub-program A 94 a has completed. Similarly, when checkpointing ofsub-program B 94 b has completed, TCL 102 b sends a message 114 b tocoordinator 108 that checkpointing of sub-program B 94 b has completed,and when checkpointing of sub-program C 94 c has completed TCL 118 csends a message 114 c to coordinator 108 that checkpointing ofsub-program C 94 c has completed. Coordinator 108 waits for allcheckpoints to be completed and sends message 114 a to TCL 102 a toresume operation of sub-program A 94 a, and similarly sends message 114b to TCL 102 b to resume operation of subprogram B 94 b, and message 114c to TCL 102 c to resume operation of sub-program C 94 c. Thedistributed application consisting of sub-program A 94 a, sub-program B94 b and sub-program C 94 c is now running again.

By way of example, the checkpointing process can also be initiated fromthe HA services 100 x on coordinator node 110. In this case HA services100 x sends a message 120 to coordinator 108, which proceeds asdescribed above.

3. RESTORING FROM A DISTRIBUTED APPLICATION CHECKPOINT

FIG. 4 also illustrates by way of example the process of restoring froma distributed checkpoint. Restoring from checkpoints of single nodemulti-process multi-threaded application is described in the secondreference above. The following discussion assumes that the distributedcheckpoint has been assembled using the mechanism described above.

By way of example and not limitation, the restoration process isinitiated from coordinator 108, which sends message 114 a to TCL 102 awithin HA services 100 a for node 0 96 a, and similarly message 114 b toTCL 102 b within HA services 100 b for node 1 96 b, as well as message114 c to TCL 102 c within HA services 100 c for node 2 96 c.

TCL 102 a on node 0 96 a stops processing traffic and sends a message122 a to HA services 100 a on node 0 96 a to restore sub-program A 94 afrom the most recent checkpoint. In a similar manner, TCL 102 b on node1 96 b stops processing traffic and sends a message 122 b to HA services100 b on node 1 96 b to restore sub-program B 94 b from the most recentcheckpoint. Following the same pattern TCL 102 c on node 2 96 c stopsprocessing traffic and sends a message 122 c to HA services 100 c onnode 2 96 c to restore sub-program C 94 c from the most recentcheckpoint.

The restore process includes restoring local transport drivers 104 a,104 b and 104 c as well as TCLs 102 a, 102 b and 102 c. Halting andcheckpoint restore of the local transport is described in further detailbelow.

Restoration from checkpoints, as just described, is commonly performedas part of the fault recovery process. After a fault, one or more of thesub-programs may have crashed, exited, or otherwise ceased functioning.

According to one aspect of the invention, HA services 100 a terminatessub-program A 94 a, if running, before restoring; while HA services 100b terminates sub-program B 94 b, if running, before restoring; andfinally HA services 100 c terminates sub-program C 94 c, if running,before restoring. This sequence of termination before restorationguarantees that all subprograms are loaded and functional.

According to another aspect of the invention, HA services 100 a haltssub-program A 94 a, if running, before restoring; while HA services 100b halts sub-program B 94 b, if running, before restoring; and finally HAservices 100 c halts sub-program C 94 c, if running, before restoring.This sequence also guarantees that all sub-programs are loaded andfunctional.

By way of example, the restore process can also be initiated from HAservices 100 x on coordinator node 110. In this case HA services 100 xsends a message 120 to coordinator 108, which then proceeds as describedabove.

4. APPLICATION FAULT DETECTION AND RESTORE OF DISTRIBUTED APPLICATION

FIG. 5 illustrates by way of example embodiment 90, the detection offaults with initiation of a coordinated restore. Fault detection ofsingle node multi-process multi-threaded application is described in thefirst related application reference cited above. Returning to FIG. 5, itis seen that the example illustrates a scenario where sub-program A 94 afails. As described according to the Duration system, local faultdetection is provided by local HA services 100 a. Wherein local HAservices 100 a sends a message 124 to HA services 100 x on coordinatornode 110. HA services 100 x then sends a restore message 126 tocoordinator 108. The “restore from distributed checkpoint” proceeds asdescribed above.

5. FAULT DETECTION FOR NODE AND NETWORK FAULTS

FIG. 6 illustrates by way of example the detection and recovery of nodefaults. Node and network fault detection are described in the firstrelated application reference cited above.

The example illustrates a scenario where node 1 96 b serves as backuplocation for sub-program A 94 a. A node fault means that the entire nodehas gone down, due to a hardware or software fault. Network faults causethe entire node to become unreachable due to network outage.

HA services 100 b for the backup-location of sub-program A 94 a performsthe fault detection. HA services 100 b sends a message 128 to HAservices 100 x for coordinator 108. HA services 100 x sends a restoremessage 130 to coordinator 108. The “restore from distributedcheckpoint” proceeds as described above.

6. STOPPING AND FLUSHING THE TRANSPORT

FIG. 7 illustrates by way of example embodiment 150 the process ofstopping and flushing the transport. It should be pointed out thatstopping and flushing all transport buffers is integral toward ensuringconsistent and accurate checkpoints within distributed applications.Sub-program A 154 a is running on node 0 156 a and sub-programs B 154 bis running on node 1 156 b. Sub-program 154 a receives data from thetransport driver 158 a via message channel 160 a and sends messages viachannel 162 a. The figure illustrates a two node configuration, albeitit should be appreciated that the description naturally extends to anydesired number of nodes.

For node 0, the transport driver 158 a contains a buffer 164 a formessages going to the sub-program, and a buffer 166 a for receivingmessages from the application. For sub-program B 154 b the transportdriver 158 b contains a buffer 164 b for messages going to thesub-program, and a buffer 166 b for receiving messages from thesub-program. Node 0 156 a also contains within transport driver 158 a, abuffer 168 a for incoming transport messages, and a buffer 170 a foroutgoing transport messages. Similar buffer configuration is seen fornode 1, with buffers 164 b, 166 b, 168 b and 170 b within transportdriver 158 b.

A transport mechanism 172 is shown with the lowest layer of transportcontaining a message channel 174 a directed into the transport driver158 a of node 0 156 a, and a message channel 176 a directed out of thetransport driver. Node 1 156 a is similarly shown with message channels174 b, 176 b.

By way of example and not limitation, the message channels between thetransport driver and the applications, or between the transport and thedriver, can be implemented as containing any desired number andconfiguration of pipes, FIFOs, sockets, message queues, DMA, sharedmemory, or custom protocols.

Halting and flushing the transport driver is a multi-step process. Inone embodiment, the transport driver first stops sending out newmessages. By way of example, this means that the driver blocks messagechannels 164 a and 170 a on node 0 156 a, and message channels 164 b and170 b on node 1 156 b.

The transport driver proceeds to receive all incoming messages deliveredon message channel 166 a and 168 a on node 0 156 a, and message channel166 b and 168 b on node 1 156 b. Those messages are received and storedin the outgoing message queues for delivery after the checkpointingprocess.

On node 0 156 a, channel 176 a will not send new messages and channel174 a will receive all messages sent to it. On node 1 channel 176 b willnot send new messages and channel 174 b will receive all messages sentto it. When no more messages are “in transit”, the communication channel172 has been flushed and the transport traffic halted.

7. CHECKPOINTING THE TRANSPORT

Referring to FIG. 7 for illustrative purposes, checkpointing of thelocal transport 158 a on node 0 156 a and local transport 158 b on node1 156 b is achieved by using the standard checkpointing mechanism forsingle or multi process, multi-threaded applications, such as found inthe Duration system referred to in the first and second patentapplication references above, or similar systems and methods.

8. RESTORING THE TRANSPORT FROM A CHECKPOINT

Referring to FIG. 7 for illustrative purposes, a restore from acheckpoint of local transport 158 a on node 0 156 a, and local transport158 b on node 1 156 b is achieved by using the standard checkpointingmechanism for single or multi-process, multi-threaded application, suchas found in the Duration system referred to in the first and secondpatent application references above, or similar systems and methods.

9. ALTERNATE IMPLEMENTATION OF TRANSPORT AND FLUSHING OPERATION

By way of example, the disclosure above describes a transport driverarchitecture in which the transport driver is responsible for receiving,halting and flushing messages and issuing the messages to letsub-programs continue after checkpointing.

An alternate implementation layers the TCL between the application andthe transport driver, thereby forcing all communication betweenapplication and transport driver to go through the TCL.

FIG. 8 illustrates an example embodiment 190, in which sub-program A 154a now communicates with TCL 192 a instead of transport driver 158 a. Inaddition to the previously described role of coordinating flush, haltand continue operations with the coordinator, TCL 192 a is now alsoresponsible for flushing the transport driver and for triggeringcheckpointing and restoration.

The alternate architecture illustrated by FIG. 8 is particularly wellsuited for those transport drivers in which the transport driver doesnot provide built-in flush capability. TCL 192 a then assumesresponsibility for buffering and flushing all transport data.

The inter-positioning of TCL 192 a between the application and thetransport driver does not in any substantial way alter operationsdiscussed above.

10. LOSS-LESS MIGRATION OF DISTRIBUTED APPLICATIONS

Referring once again to FIG. 2 for illustrative purposes, the case ofmigrating the distributed application from one set of nodes to anotherset of nodes is considered. Migration of live applications is preferablyutilized in responding to the anticipation of faults, such as detectingthat a CPU is overheating, a server is running out of memory, and thelike, when the administrator wants to re-configure the servers or whenthe servers currently being used have to be freed up for some reason.

Building on the disclosures above, a loss-less migration is achieved by:first checkpointing the distributed application, including allsub-programs and local transports, then restoring all sub-programs andlocal transports from the checkpoints on the backup nodes. The migrationis loss-less, which means that no data or processing is lost, since thetransport and all sub-programs have been halted.

11. CONCLUSION

In the embodiments described herein, an example programming environmentwas described for which an embodiment of programming according to theinvention was taught. It should be appreciated that the presentinvention can be implemented by one of ordinary skill in the art usingdifferent program organizations and structures, different datastructures, and of course any desired naming conventions withoutdeparting from the teachings herein. In addition, the invention can beported, or otherwise configured for, use across a wide-range ofoperating system environments.

Although the description above contains many details, these should notbe construed as limiting the scope of the invention but as merelyproviding illustrations of some of the presently preferred embodimentsof this invention. Therefore, it will be appreciated that the scope ofthe present invention fully encompasses other embodiments which maybecome obvious to those skilled in the art, and that the scope of thepresent invention is accordingly to be limited by nothing other than theappended claims, in which reference to an element in the singular is notintended to mean “one and only one” unless explicitly so stated, butrather “one or more.” All structural and functional equivalents to theelements of the above-described preferred embodiment that are known tothose of ordinary skill in the art are expressly incorporated herein byreference and are intended to be encompassed by the present claims.Moreover, it is not necessary for a device or method to address each andevery problem sought to be solved by the present invention, for it to beencompassed by the present claims. Furthermore, no element, component,or method step in the present disclosure is intended to be dedicated tothe public regardless of whether the element, component, or method stepis explicitly recited in the claims. No claim element herein is to beconstrued under the provisions of 35 U.S.C. 112, sixth paragraph, unlessthe element is expressly recited using the phrase “means for.”

What is claimed is:
 1. A method of achieving transparent integration ofa distributed application program with a high availability protectionprogram, comprising: injecting registration code, transparently andautomatically, into a plurality of sub-programs during launch, withoutthe need of modifying or recompiling the application program and withoutthe need of a custom loader; registering the distributed applicationautomatically with a high-availability protection program; detecting afailure in the execution of the distributed application program by saidhigh-availability protection program; and executing the distributedapplication, subject to the detected failure, with one or more of thesub-programs being executed from their respective backup nodesautomatically by said high-availability protection program in responseto the failure.
 2. A method as recited in claim 1: wherein saidhigh-availability protection program is configured as an extension of anoperating system; wherein recovery of application programs by saidhigh-availability protection program is performed without the necessityof modifying programming within said application programs.
 3. A methodas recited in claim 1, wherein said high-availability protection programis configured for protecting against node faults, network faults, andprocess faults.
 4. A method as recited in claim 1, wherein saidhigh-availability protection program is configured to automaticallycoordinate transparent recovery of distributed applications.
 5. Acomputer program product having a computer readable medium tangiblyrecording computer program logic for achieving transparent integrationof a distributed application program with a high availability protectionprogram, the computer program product comprising: code to injectregistration code, transparently and automatically, into a plurality ofsub-programs during launch, without the need of modifying or recompilingthe application program and without the need of a custom loader; code toregister the distributed application automatically with ahigh-availability protection program; code to detect a failure in theexecution of the distributed application program by saidhigh-availability protection program; and code to execute thedistributed application, subject to the detected failure, with one ormore of the sub-programs being executed from their respective backupnodes automatically by said high-availability protection program inresponse to the failure.
 6. The computer program product as recited inclaim 5: wherein said high-availability protection program is configuredas an extension of an operating system; wherein recovery of applicationprograms by said high-availability protection program is performedwithout the necessity of modifying programming within said applicationprograms.
 7. The computer program product as recited in claim 5, whereinsaid high-availability protection program is configured for protectingagainst node faults, network faults, and process faults.
 8. The computerprogram product as recited in claim 5, wherein said high-availabilityprotection program is configured to automatically coordinate transparentrecovery of distributed applications.